Madrid, January 16 2005 - This week's virus report looks at three
vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two
worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which
Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take
control of a computer with the same privileges as the user that started the
session. It could be exploited by the creation of a specially designed web
page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A user
could exploit it to take control of a vulnerable computer by hosting a
specially created icon or cursor on a malicious web page or HTML email. It
affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to be
executed and privilege escalation. It affects computers with Windows XP
-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P
networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows Media
Digital Rights Management (DRM), a technology that demands a valid license
number when a protected Windows Media file is run. If a user were to execute
a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans
simulate the download of the corresponding license from certain web pages.
However, what they really do is redirect users to other addresses from which
malicious applications like adware, dialers or spyware are downloaded.

The first worm we'll look at today is Lasco.A, which spreads to cell phones
using the Symbian operating system. Although at first it targeted Nokia 60
series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection between
devices over short distances).
When executed, Lasco.A starts a search for other devices connected using
Bluetooth and if it finds any, it sends a copy of itself in a file called
VELASCO.SIS. When the device to which it has sent a file is out of range of
Bluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these
files are distributed and run in new devices, these are then infected by
Lasco.A.

In order to be able to spread, Lasco.A requires intervention from users, as
they receive a message announcing the fact that it has been received. If the
users accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copies
of itself in shared resources on the network and exploits the LSASS, RPC
DCOM and WebDAV vulnerabilities. It can also enter computers running SQL
Server, whose System Administrator account's password is blank, and in
computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also
accesses computers affected by the following malware: Bagle.A, Mydoom.A,
Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,
allowing them to execute commands, download and execute files, log
keystrokes and carry out Distributed Denial of Services attacks (DDoS).

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

Madrid, January 14 2005 - This week's virus report looks at three
vulnerabilities, two Trojans -WmvDownloader.A and WmvDownloader.B-, and two
worms -Lasco.A and Gaobot.CKP-.

We start this report by looking at three security problems, for which
Microsoft has this week published the corresponding patches.

- Vulnerability in the Windows HTML help, that could allow hackers to take
control of a computer with the same privileges as the user that started the
session. It could be exploited by the creation of a specially designed web
page and affects computers with Windows 2003/XP/2000/NT/Me/98.

- A security problem in the format of Windows icons and cursors. A user
could exploit it to take control of a vulnerable computer by hosting a
specially created icon or cursor on a malicious web page or HTML email. It
affects computers with Windows 2003/XP/2000/NT/Me/98.

- Vulnerability in the Index Server service, which allows remote code to be
executed and privilege escalation. It affects computers with Windows XP
-without Service Pack 2- and Windows 2003.

WmvDownloader.A and WmvDownloader.B are two Trojans that spread across P2P
networks in the form of video files with the extension ".wmv".

In order to spread, WmvDownloader.A and WmvDownloader.B use Windows Media
Digital Rights Management (DRM), a technology that demands a valid license
number when a protected Windows Media file is run. If a user were to execute
a video file infected with WmvDownloader.A or WmvDownloader.B, these Trojans
simulate the download of the corresponding license from certain web pages.
However, what they really do is redirect users to other addresses from which
malicious applications like adware, dialers or spyware are downloaded.

The first worm we'll look at today is Lasco.A, which spreads to cell phones
using the Symbian operating system. Although at first it targeted Nokia 60
series phones, it can also target other devices using the same software.

Lasco.A uses the following means of propagation.

1.- Via Bluetooth (technology that allows wireless connection between
devices over short distances).
When executed, Lasco.A starts a search for other devices connected using
Bluetooth and if it finds any, it sends a copy of itself in a file called
VELASCO.SIS. When the device to which it has sent a file is out of range of
Bluetooth, Lasco.A searches for others to infect.

2.- Inserting its code in all SIS files on the affected device. When these
files are distributed and run in new devices, these are then infected by
Lasco.A.

In order to be able to spread, Lasco.A requires intervention from users, as
they receive a message announcing the fact that it has been received. If the
users accept this message, the worm installs itself on the device.

We end today's report with Gaobot.CKP, a worm that spreads by making copies
of itself in shared resources on the network and exploits the LSASS, RPC
DCOM and WebDAV vulnerabilities. It can also enter computers running SQL
Server, whose System Administrator account's password is blank, and in
computers running DameWare Mini Remote Control. Finally, Gaobot.CKP also
accesses computers affected by the following malware: Bagle.A, Mydoom.A,
Optix, NetDevil, Kuang and SubSeven.

Gaobot.CKP lets attackers take remote control of the computer it affects,
allowing them to execute commands, download and execute files, log
keystrokes and carry out Distributed Denial of Services attacks (DDoS).

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

Madrid, January 21 2005 - This week's virus report looks at three worms
-Bropia.A, Zar.A and Mydoom.AE-, and Gaobot.batch.

Bropia.A spreads via MSN Messenger. It does this by searching the
application for an instance of the class 'IMWindowClass' and, if it finds
one, it sends itself out with one of the following names: Drunk_lol.pif,
Webcam_004.pif, sexy_bedroom.pif, naked_party.pif and love_me.pif.

After it is run, Bropia.A searches -in %systemdir%- files with the following
names: adaware.exe, VB6.EXE, lexplore.exe and Win32.exe. If they don't
exist, it creates a file that contains a copy of a variant of Gaobot.
Bropia.A also generates several empty files in the path %systemdir% and
opens them to prevent the taskmgr.exe and cmd.exe processes from executing.
Similarly, Bropia.A disables the CTRL+ALT+Del key combination, and can also
disable the right button on the mouse.

Zar.A spreads via email in a message that refers to the tsunamis that struck
Asia in December 2004. Both the subject and the message text make an appeal
for help for the victims, and the attachment is called TSUNAMI.EXE. When the
file is run, the computer is infected by Zar.A, which, using MAPI, sends a
copy of itself to all addresses in the Outlook address book.

Zar.A creates three files and generates a Windows registry entry to ensure
that it is run every time the computer is started up. This worm also tries
to launch Denial of Service attacks (DoS), against the w w w.hacksector.de
website.

The next worm we'll be looking at today is Mydoom.AE, which spreads in an
email with variable characteristics, and through P2P file sharing programs.

Once it infects a computer, Mydoom.AE takes the following action:

- It opens Notepad and displays a text made up of random characters.

- It alters the HOSTS file to prevent users from accessing the web pages of
certain antivirus companies. It also terminates processes belonging to
certain antivirus programs, leaving the computer vulnerable to attack from
other malware.

- It terminates processes belonging to malware.

- It tries to download a file from the Internet.

We end today's report with a mention of Gaobot.batch, which is a batch
process file that deletes the original Gaobot file when this has been
installed on the computer.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.